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Abstract. The Diffie-Hellman key agreement protocol is based 
on taking large powers of a generator of a prime-order cyclic group. 
Some generators allow faster exponentiation. We show that to 
a large extent, using the fast generators is as secure as using a 
randomly chosen generator. On the other hand, we show that if 
there is some case in which fast generators are less secure, then 
this could be used by a malicious authority to generate a standard 
for the Diffie-Hellman key agreement protocol which has a hidden 
trapdoor. 



1. Introduction 

The Diffie-Hellman key agreement protocol [3] is one of the most 
celebrated means for two parties, say Alice and Bob, to agree on a 
secret key over an insecure communication channel. Alice and Bob 
make their computations in some previously fixed cyclic group G with 
an agreed generator g. The protocol is defined as follows: 

(1) Alice chooses a randon£| a £ {1, . . . , |G| — 1}, and sends g a to 
Bob. 

(2) Bob chooses a random b £ {1, . . . , \G\ — 1}, and sends g b to 
Alice. 

The agreed key is g ab , which can be computed both by Alice {{g b ) a ) 
and by Bob ((g a ) b ). 

Due to the Pohlig-Hellman attack [6] (which exploits the Chinese 
Remainder Theorem), it is preferred that the order of the group be 
prime, which is henceforth assumed. 

Consider, for example, the case g £ F* where q is prime. Let p be the 
(prime) order of the generated group G = (g) < F* Computing g x for 

Key words and phrases. Diffie-Hellman Problem, Discrete Logarithm Problem, 
fast generators, trapdoor. 

Supported by the Koshland Center for Basic Research. 
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x G {1, ... ,p — 1} consists of squaring and multiplying. If g = 2, then 
the multiplication operation amounts to shifting and taking modular 
reduction. For h G F* 



which is computationally negligible in comparison to multiplying by a 
random g. In standard square-and- multiply implementations this saves 
about 33% of the computational complexity of evaluating g x (in fact, 
squaring can often be done more efficiently than general multiplication, 
so this saves more). Thus, if 2 G G, we may wish to chose it as our 
generator. If 2 G" G, we can use other generators for which similar 
comments apply (like 3, 5, etc.). 

We show that, in the common interpretation, this can be done with 
no loss of security. On the other hand, we show that if there is a 
conceivable way to make some generators weaker than random ones, 
then this can be used by an authority of standards to find parameters 
for the Diffie-Hellman protocol with a trapdoor allowing the authority 
to exploit these weaknesses. In the appendix we give an example of a 
public-key cryptosystem based on this phenomenon. 

The results also apply to choices of efficient generators in other 
groups, e.g., low hamming weight polynomials in F* m , or low weight 
elements in hyper-elliptic curves. 



Let G = (g) be a cyclic group of prime order p. Let / G G be 
any element except the identity. Then / is a generator of G. In the 
intended application, / is chosen so that the computation of f x is more 
efficient (we call / a fast generator), or that its usage is convenient for 
some other reason. 

Fix h G G. An algorithm (depending on h) is said to solve the 
Diffie-Hellman Problem (DHP) for base h if, for each x, y G {1, . . . ,p — 



Henceforth, for a number r G {1, . . . ,p — 1}, r" 1 mod p denotes the 
element s of {1, . . . ,p — 1} such that sr = 1 (mod p). 

The following theorem is presumably known to specialists, but we 
have not been able to find a reference. The method of proof, however, 
is standard. 

Theorem 1. Assume that for some f G G \ {1}, there exists an al- 
gorithm Df to solve the DHP for base f , in running time T(f). Then 




h < q/2 
q/2 < h 



2. A FAST GENERATOR IS ALMOST AS SECURE 



l},V h (h x ,h») = h x v. 
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for each g G G\ {1}, there is an algorithm D g which solves the DHP 
for base g in running time 0(T(f) ■ logp). 

Proof. Given g, there exists a unique r G {l,...,p — 1} such that 

g = r- 

Lemma 2. Given f r , we can compute f r 1 mod f using at most 2 logp 
queries to Df. 

Proof. By Fermat's Little Theorem, r v ~ x = 1 (mod p), and therefore 

r p ~ 2 = r _1 (mod p). 

We can compute f r 1 = f' P 2 using Df in a square-and-multiply man- 
ner: Write p — 2 in base 2 as b + b\ ■ 2 + ■ ■ ■ + b n ■ 2 n , b n ^ 
(then n < log 2 p). Let fo = f r . For each i = 1,2, ...,n compute 
/ij = P>f(fi-i, fi~i), and let /j = hi if = 1, and /< = D f (h h f ) 
otherwise. Then /„ = / rP . □ 

Now, assume that we are given g x , g y and we wish to find g xy . Recall 
that g = f r . Compute f r as in Lemma (2J and proceed with 

Vf(r\g y )=Vf(r\f rv ) = r lry = p, 

and 

v f (g x , n = Vf(r, n = r xy = g xv - □ 

Remark 3 (Amplification) . Theorem [T] generalizes to various other set- 
tings. For example, assume that Df only solves the DHP with proba- 
bility e, i.e., for each z ^ xy (mod p), 

PT[£> f (f*, p) = D > Pr[£> f (r, P) = P] + e. 

Then Df can be transformed to an algorithm which succeeds in prob- 
ability arbitrarily close to 1: Choose random r, s G {l,...,p— 1}, 
compute f xr = {PY, f ys = {p) y , and h = £> f {f xr , p s ). If the output 
h was correct, then 

1^ jxrys jxyrs 

Let t = (rs) _1 (modp). Then, in the case of correct output h, h l = 
f xy . We can repeat this 0(l/e 2 ) times to get f xy as the most frequent 
value almost certainly. 

Having the algorithm transformed to one which succeeds in proba- 
bility very close to 1 , the arguments in the proof of Theorem [T] apply. 
These assertions apply to all problems mentioned in this paper. 

The closely related Discrete Logarithm Problem is much easier to 
deal with: An algorithm DL^ is said to solve the Discrete Logarithm 
Problem (DLP) for base h if, for each x G {1, . . . ,p — 1}, DL h (h x ) = x. 
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Theorem 4. Assume that f G G\ {1}, and there exists an algorithm 
DLj to solve the DLP for base f , in running time T(f). Then for each 
g G G\ {1}, there is an algorithm DL 9 which solves the DLP for base 
g in running time 0(T(f)). 

Proof. Given g x , find x using the following sequence of computations: 
r = DLf(g), rx = DLf(f rx ) = DLf(g x ), s = r~ l mod p, and x = 
srx. □ 

A closely related problem remains open: An algorithm DDH^ is said 
to solve the Decisional Diffie-Hellman Problem (DDH) for base h pQ 
if, for each x,y,z G {1, ... ,p — 1}, DDH. h (h x , h y , h z ) = 1 if, and only 
if, z = xy. 

Problem 5. Assume that f G G \ {1}, and there exists an algorithm 
DDHj to solve the DDH for base f , in running time T(f). Does there 
exist, for each g G G \ {1}, an algorithm DDH 9 which solves the DDH 
for base g in running time polynomial in T(f) ■ logp? 

Remark 6. Menezes has pointed out to us that in [2] it is shown that 
using 2 as a generator for certain discrete logarithm based signature 
schemes is vulnerable to forgeries, whereas in [7] it is shown that using 
a random generator in these schemes is provably secure (this is sum- 
marized in [9]). This can be contrasted with the results of the current 
section, and motivate the discussions in the remainder of the paper. 

3. Malicious standards 

One can still figure out models of security for which it is not clear 
that using fast generators is as secure as using a random generator. 
For example, assume that the following holds. 

Scenario 7 (Malicious Diffie-Hellman (MDH)). 

(1) There exist / G G\{1}, a function F, and an efficient algorithm 
Df such that for each x, y G {1, . . . ,p — 1}, 

i)f(.r.n /••!./••'"). 

(2) For a random g G G\{1}, F(g xy ) cannot be efficiently extracted 
from g x and g y . 

(3) For random x, y, F(f xy ) has enough entropy to generate a key 
for symmetric encryption (e.g., 80 bits). 

Remark 8. While it seems unlikely that MDH could hold, we should 
note that the field is full of surprises. For example, in [1] it is shown 
that there are some groups where the Diffie-Hellman Problem is difficult 
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and the Decisional Diffie-Hellman Problem (see Section [2]) is easy. See 
Remark O for another example. 

If MDH holds, then F)f reveals some information on the agreed key 
obtained by the Diffie-Hellman protocol using / as a generator. In 
an extreme case, the function F could be the hash function which 
Alice and Bob use to derive from f ab a key for symmetric encryption. 
However, in general it is not clear how to use £*/ to reveal the same 
information g ab for a random generator g. Of course, there is a random 
r G {1, . . . ,p — 1} such that g = f r and therefore 

£> f (g a ,g b ) = £>,(/", f rb ) = F(f 2ab ) = F(g rab ), 

but rah is a random element of {1, ... ,p — 1} and independent of ab, so 
this information is of no use. Similar assertions hold for the Discrete 
Logarithm Problem. 

Consequently, it might be the case that fast generators are not as 
secure as random ones. While we are unable to prove the impossibility 
of Scenario we can show that if it is possible, then we cannot trust 
given standards for the Diffie-Hellman key agreement protocol, unless 
we know how they were generated. 

Assume that MDH holds. Then an authority of standards can do 
the following: Choose a uniformly random trapdoor t & {1, . . . ,p — 1}, 
compute g = /*, and suggest (G,p,g) as the standard's parameters for 
the Diffie-Hellman key agreement protocol. As t was uniformly random, 
g is a uniformly random generator of G, so there is no way to know 
that it was chosen in a malicious way. Now, assume that Alice sends 
Bob g a and Bob sends Alice g b . For everyone else but the authority of 
standards, deducing information on the agreed key 

g ab ig 

impossible. 

Claim 9. For all a,b e {1, . . . ,p — 1}, the authority of standards can 
compute F(g ab ) efficiently. 

Proof. Using the trapdoor t, compute t~ l mod p, and (g b Y 1 , which is 
the same as = f b . Now, compute F(f rab ) = F> f (f ra ,f b ). But 

jrab gab | | 

Consequently, the authority of standards can decrypt the messages 
sent between Alice and Bob. 

In the appendix we indicate a possible positive consequence of the 
MDH. We believe that many more can be derived from it. The proof of 
the impossibility of MDH under mild hypotheses, or the construction 
of a system for which MDH holds, are fascinating challenges. 
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Remark 10. Galbraith has pointed out to us that there exist bit security 
results which show that for various natural functions F, computing 
F(g ab ) from g a and g b is as hard as the Diffie-Hellman Problem. See, 
e.g., [8j and references [1,2] therein. This is an evidence for the difficulty 
of establishing MDH. 

Appendix A. 

a public-key cryptosystem from the malicious 
Diffie-Hellman assumption 

Assume that MDH holds for a group G with prime order p and 
a generator /. Then we define the following public-key crypto system 
for celebrities: In the intended application, we have some center (a 
"celebrity") sending messages to many recipients. The purpose is to 
minimize the communication load of the center's messages. 

(1) G and p are publicly known. 

(2) A celebrity, say Bob, chooses a random r G {1, . . . ,p — 1} and 
publishes g = f r . 

(3) Each one (say, Alice) who wishes to obtain in the future mes- 
sages from Bob should choose a random a £ {1, . . . , p — 1} and 
publish g a . 

(4) When Bob wishes to encrypt a message to Alice, he computes 
F(g a ) (using r he can do that, as shown in Section [3]) and uses 
some known hash function of the result as a key for a block 
cipher with which he encrypts the message to Alice. 

(5) Alice can compute g a and thus decrypt the message. 

(6) Users other than Bob who wish to send messages to one another 
or to Bob can use standard algorithms like El-Gamal. 

Note that the lengths of Bob's encrypted messages is the same as that 
of the plain messages. 

2 

Our suggested protocol is based on the difficulty of finding g a given 
g a . Menezes has pointed out to us that in Section 5.3 of [5] it is shown 
that this is as difficult as the Diffie-Hellman Problem: Indeed, given g a 
and g b , compute g a+b = g a ■ g b , and then compute g 0,2 , g b2 , and g( a+f> ) 2 . 
Using these, compute 

g** = g ^ 2 . (^r 1 . (/r 1 . 

Finally, compute g ab = (g 2ab ) 2 ~ l modp . 

Remark 11. We can base a protocol with the same properties on clas- 
sical assumptions: Bob publishes g and g b (for some random b of his 
choice), and each other user, say Alice, publishes g a and computes a 
hash value of g ab to be used as symmetric key to decipher messages 
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from Bob. Thus, our suggested protocol should only be considered as 
an indication of the potential usefulness of MDH, which is not fully 
understood yet. 
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